Ah, I’d forgotten about this when I wrote this post yesterday about Trump’s odd skepticism towards cyberforensics. Here’s what he tweeted yesterday morning:
Unless you catch "hackers" in the act, it is very hard to determine who was doing the hacking. Why wasn't this brought up before election?
— Donald J. Trump (@realDonaldTrump) December 12, 2016
Why wasn’t Russia’s culpability in the DNC hacking brought up before the election? Er, it was. Repeatedly. Here’s WaPo’s tick-tock of how Democrats discovered their system had been infiltrated and what they did to expel the hackers, published June 14th:
Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyze data that could indicate who had gained access, when and how.
The firm identified two separate hacker groups, both working for the Russian government, that had infiltrated the network, said Dmitri Alperovitch, CrowdStrike co-founder and chief technology officer. The firm had analyzed other breaches by both groups over the past two years.
One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC’s email and chat communications, Alperovitch said.
The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files.
Alperovitch is the man in the clip below, which aired yesterday on CNN. His firm, CrowdStrike, has a global clientele in cybersecurity and has dealt with “Cozy Bear” and “Fancy Bear” before. “Fancy Bear” is an outfit that works for Russian military intelligence, he believes, whereas “Cozy Bear” is less certain but most likely works for Russia’s FSB. He told PBS this summer that the striking thing about the DNC hack was that the two outfits appeared not to be working in concert; they’re rival agencies that compete with each other and had lifted some of the same documents from the DNC’s servers. It was CrowdStrike that observed the two groups poking through the system and finally expelled both, months after the first successful infiltration.
As for whether it’s “hard” to determine a hacker’s identity, as Trump claims, experts say it’s getting easier all the time. “Cyber criminals always leave evidence behind and forensic cybersecurity capabilities have advanced to the point where we can identify and analyze hacks faster than ever before,” one specialist told USA Today. It’s not foolproof, but then no form of criminal detective work (certainly before the era of DNA) is. The NYT has a blockbuster piece chronicling the saga of the DNC hacking out this afternoon, which you should read if you can spare the time. Here’s how they explain the art/science of sniffing out hackers:
The work that such companies do is a computer version of old-fashioned crime scene investigation, with fingerprints, bullet casings and DNA swabs replaced by an electronic trail that can be just as incriminating. And just as police detectives learn to identify the telltale methods of a veteran burglar, so CrowdStrike investigators recognized the distinctive handiwork of Cozy Bear and Fancy Bear…
Attribution, as the skill of identifying a cyberattacker is known, is more art than science. It is often impossible to name an attacker with absolute certainty. But over time, by accumulating a reference library of hacking techniques and targets, it is possible to spot repeat offenders. Fancy Bear, for instance, has gone after military and political targets in Ukraine and Georgia, and at NATO installations.
That largely rules out cybercriminals and most countries, Mr. Alperovitch said. “There’s no plausible actor that has an interest in all those victims other than Russia,” he said. Another clue: The Russian hacking groups tended to be active during working hours in the Moscow time zone.
Alperovitch doesn’t reveal trade secrets, for obvious reasons, but the CIA and FBI reached similar conclusions about Russia’s role (although not its motives) using their own capabilities. The fact that so many different cyberdefense agencies, public and private, all point to Russia — with real-time observation of the hackers in CrowdStrike’s case — and Trump continues to resist accepting their conclusion leaves you to wonder how brazen Russian spies would need to be to force President Trump to act against them. If Mike Pompeo comes to Trump next summer and reports that “Cozy Bear” and “Fancy Bear” are back in the DNC’s system, what happens then? Russia will deny any responsibility. Whom does Trump trust?
As further enticement to read that Times piece, let me tease two related tidbits. One: The FBI reportedly tried to contact the DNC repeatedly last year to warn them about the possibility that they were being hacked, but the DNC’s tech people didn’t treat it as urgent in part because … they thought they might be getting pranked. Evidently no one ever called the FBI to confirm that the agent who was phoning the DNC was a real agent and no one from the FBI ever dropped by the DNC to warn them in person even though FBI headquarters and DNC headquarters are less than a mile apart. Oops. Two: When John Podesta’s emails were later hacked in a phishing attack, via a fake email purporting to be from Google with a link attached inviting Podesta to change his password, Podesta’s aides consulted with a Clinton campaign tech person before clicking the link. The techie emailed back that “This is a legitimate email” and urged the aide to change Podesta’s password immediately. Turns out he meant to type illegitimate, not “legitimate” — or so he now claims, perhaps as a way to cover his ass for not being able to recognize a phishing email when he saw one. Either way, oops.